params = new ArrayList<>();
+ int paramIndex = 0;
+ for (X509KeyType caKeyType : X509KeyType.values()) {
+ for (X509KeyType certKeyType : X509KeyType.values()) {
+ for (String keyPassword : new String[] { KEY_EMPTY_PASSWORD, KEY_NON_EMPTY_PASSWORD }) {
+ params.add(new Object[] { caKeyType, certKeyType, keyPassword, paramIndex++ });
+ }
+ }
+ }
+ return params;
+ }
+
+ private X509Util x509Util;
+ private Configuration hbaseConf;
+
+ @Override
+ public void init(X509KeyType caKeyType, X509KeyType certKeyType, String keyPassword,
+ Integer paramIndex) throws Exception {
+ super.init(caKeyType, certKeyType, keyPassword, paramIndex);
+ x509TestContext.setSystemProperties(KeyStoreFileType.JKS, KeyStoreFileType.JKS);
+ x509Util = new X509Util(x509TestContext.getHbaseConf());
+ hbaseConf = x509TestContext.getHbaseConf();
+ }
+
+ @After
+ public void cleanUp() {
+ x509TestContext.clearSystemProperties();
+ x509TestContext.getHbaseConf().unset(X509Util.TLS_CONFIG_OCSP);
+ x509TestContext.getHbaseConf().unset(X509Util.TLS_CONFIG_CLR);
+ x509TestContext.getHbaseConf().unset(X509Util.TLS_CONFIG_PROTOCOL);
+ System.clearProperty("com.sun.net.ssl.checkRevocation");
+ System.clearProperty("com.sun.security.enableCRLDP");
+ Security.setProperty("ocsp.enable", Boolean.FALSE.toString());
+ Security.setProperty("com.sun.security.enableCRLDP", Boolean.FALSE.toString());
+ }
+
+ @Test
+ public void testCreateSSLContextWithoutCustomProtocol() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ SSLContext sslContext = x509Util.getDefaultSSLContextAndOptions().getSSLContext();
+ assertEquals(X509Util.DEFAULT_PROTOCOL, sslContext.getProtocol());
+ }
+
+ @Test
+ public void testCreateSSLContextWithCustomProtocol() throws Exception {
+ final String protocol = "TLSv1.1";
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ hbaseConf.set(X509Util.TLS_CONFIG_PROTOCOL, protocol);
+ SSLContext sslContext = x509Util.getDefaultSSLContextAndOptions().getSSLContext();
+ assertEquals(protocol, sslContext.getProtocol());
+ }
+
+ @Test
+ public void testCreateSSLContextWithoutKeyStoreLocation() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ hbaseConf.unset(X509Util.TLS_CONFIG_KEYSTORE_LOCATION);
+ x509Util.getDefaultSSLContextAndOptions();
+ }
+
+ @Test(expected = X509Exception.SSLContextException.class)
+ public void testCreateSSLContextWithoutKeyStorePassword() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ if (!x509TestContext.isKeyStoreEncrypted()) {
+ throw new X509Exception.SSLContextException("");
+ }
+ hbaseConf.unset(X509Util.TLS_CONFIG_KEYSTORE_PASSWORD);
+ x509Util.getDefaultSSLContextAndOptions();
+ }
+
+ // It would be great to test the value of PKIXBuilderParameters#setRevocationEnabled,
+ // but it does not appear to be possible
+ @Test
+ public void testCRLEnabled() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ hbaseConf.setBoolean(X509Util.TLS_CONFIG_CLR, true);
+ x509Util.getDefaultSSLContextAndOptions();
+ assertTrue(Boolean.valueOf(System.getProperty("com.sun.net.ssl.checkRevocation")));
+ assertTrue(Boolean.valueOf(System.getProperty("com.sun.security.enableCRLDP")));
+ assertFalse(Boolean.valueOf(Security.getProperty("ocsp.enable")));
+ }
+
+ @Test
+ public void testCRLDisabled() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ x509Util.getDefaultSSLContextAndOptions();
+ assertFalse(Boolean.valueOf(System.getProperty("com.sun.net.ssl.checkRevocation")));
+ assertFalse(Boolean.valueOf(System.getProperty("com.sun.security.enableCRLDP")));
+ assertFalse(Boolean.valueOf(Security.getProperty("ocsp.enable")));
+ }
+
+ @Test
+ public void testOCSPEnabled() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ hbaseConf.setBoolean(X509Util.TLS_CONFIG_OCSP, true);
+ x509Util.getDefaultSSLContextAndOptions();
+ assertTrue(Boolean.valueOf(System.getProperty("com.sun.net.ssl.checkRevocation")));
+ assertFalse(Boolean.valueOf(System.getProperty("com.sun.security.enableCRLDP")));
+ assertTrue(Boolean.valueOf(Security.getProperty("ocsp.enable")));
+ }
+
+ @Test
+ public void testLoadJKSKeyStore() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ // Make sure we can instantiate a key manager from the JKS file on disk
+ X509Util.createKeyManager(
+ x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS).getAbsolutePath(),
+ x509TestContext.getKeyStorePassword(), KeyStoreFileType.JKS.getPropertyValue());
+ }
+
+ @Test
+ public void testLoadJKSKeyStoreNullPassword() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ if (!x509TestContext.getKeyStorePassword().isEmpty()) {
+ return;
+ }
+ // Make sure that empty password and null password are treated the same
+ X509Util.createKeyManager(
+ x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), null,
+ KeyStoreFileType.JKS.getPropertyValue());
+ }
+
+ @Test
+ public void testLoadJKSKeyStoreFileTypeDefaultToJks() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ // Make sure we can instantiate a key manager from the JKS file on disk
+ X509Util.createKeyManager(
+ x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS).getAbsolutePath(),
+ x509TestContext.getKeyStorePassword(),
+ null /* null StoreFileType means 'autodetect from file extension' */);
+ }
+
+ @Test
+ public void testLoadJKSKeyStoreWithWrongPassword() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ assertThrows(X509Exception.KeyManagerException.class, () -> {
+ // Attempting to load with the wrong key password should fail
+ X509Util.createKeyManager(
+ x509TestContext.getKeyStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), "wrong password",
+ KeyStoreFileType.JKS.getPropertyValue());
+ });
+ }
+
+ @Test
+ public void testLoadJKSTrustStore() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ // Make sure we can instantiate a trust manager from the JKS file on disk
+ X509Util.createTrustManager(
+ x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS).getAbsolutePath(),
+ x509TestContext.getTrustStorePassword(), KeyStoreFileType.JKS.getPropertyValue(), true, true);
+ }
+
+ @Test
+ public void testLoadJKSTrustStoreNullPassword() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ if (!x509TestContext.getTrustStorePassword().isEmpty()) {
+ return;
+ }
+ // Make sure that empty password and null password are treated the same
+ X509Util.createTrustManager(
+ x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), null,
+ KeyStoreFileType.JKS.getPropertyValue(), false, false);
+ }
+
+ @Test
+ public void testLoadJKSTrustStoreFileTypeDefaultToJks() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ // Make sure we can instantiate a trust manager from the JKS file on disk
+ X509Util.createTrustManager(
+ x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS).getAbsolutePath(),
+ x509TestContext.getTrustStorePassword(), null, // null StoreFileType means 'autodetect from
+ // file extension'
+ true, true);
+ }
+
+ @Test
+ public void testLoadJKSTrustStoreWithWrongPassword() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ assertThrows(X509Exception.TrustManagerException.class, () -> {
+ // Attempting to load with the wrong key password should fail
+ X509Util.createTrustManager(
+ x509TestContext.getTrustStoreFile(KeyStoreFileType.JKS).getAbsolutePath(), "wrong password",
+ KeyStoreFileType.JKS.getPropertyValue(), true, true);
+ });
+ }
+
+ @Test
+ public void testLoadPKCS12KeyStore() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ // Make sure we can instantiate a key manager from the PKCS12 file on disk
+ X509Util.createKeyManager(
+ x509TestContext.getKeyStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(),
+ x509TestContext.getKeyStorePassword(), KeyStoreFileType.PKCS12.getPropertyValue());
+ }
+
+ @Test
+ public void testLoadPKCS12KeyStoreNullPassword() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ if (!x509TestContext.getKeyStorePassword().isEmpty()) {
+ return;
+ }
+ // Make sure that empty password and null password are treated the same
+ X509Util.createKeyManager(
+ x509TestContext.getKeyStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(), null,
+ KeyStoreFileType.PKCS12.getPropertyValue());
+ }
+
+ @Test
+ public void testLoadPKCS12KeyStoreWithWrongPassword() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ assertThrows(X509Exception.KeyManagerException.class, () -> {
+ // Attempting to load with the wrong key password should fail
+ X509Util.createKeyManager(
+ x509TestContext.getKeyStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(),
+ "wrong password", KeyStoreFileType.PKCS12.getPropertyValue());
+ });
+ }
+
+ @Test
+ public void testLoadPKCS12TrustStore() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ // Make sure we can instantiate a trust manager from the PKCS12 file on disk
+ X509Util.createTrustManager(
+ x509TestContext.getTrustStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(),
+ x509TestContext.getTrustStorePassword(), KeyStoreFileType.PKCS12.getPropertyValue(), true,
+ true);
+ }
+
+ @Test
+ public void testLoadPKCS12TrustStoreNullPassword() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ if (!x509TestContext.getTrustStorePassword().isEmpty()) {
+ return;
+ }
+ // Make sure that empty password and null password are treated the same
+ X509Util.createTrustManager(
+ x509TestContext.getTrustStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(), null,
+ KeyStoreFileType.PKCS12.getPropertyValue(), false, false);
+ }
+
+ @Test
+ public void testLoadPKCS12TrustStoreWithWrongPassword() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ assertThrows(X509Exception.TrustManagerException.class, () -> {
+ // Attempting to load with the wrong key password should fail
+ X509Util.createTrustManager(
+ x509TestContext.getTrustStoreFile(KeyStoreFileType.PKCS12).getAbsolutePath(),
+ "wrong password", KeyStoreFileType.PKCS12.getPropertyValue(), true, true);
+ });
+ }
+
+ @Test
+ public void testGetDefaultCipherSuitesJava8() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ String[] cipherSuites = X509Util.getDefaultCipherSuitesForJavaVersion("1.8");
+ // Java 8 default should have the CBC suites first
+ assertTrue(cipherSuites[0].contains("CBC"));
+ }
+
+ @Test
+ public void testGetDefaultCipherSuitesJava9() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ String[] cipherSuites = X509Util.getDefaultCipherSuitesForJavaVersion("9");
+ // Java 9+ default should have the GCM suites first
+ assertTrue(cipherSuites[0].contains("GCM"));
+ }
+
+ @Test
+ public void testGetDefaultCipherSuitesJava10() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ String[] cipherSuites = X509Util.getDefaultCipherSuitesForJavaVersion("10");
+ // Java 9+ default should have the GCM suites first
+ assertTrue(cipherSuites[0].contains("GCM"));
+ }
+
+ @Test
+ public void testGetDefaultCipherSuitesJava11() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ String[] cipherSuites = X509Util.getDefaultCipherSuitesForJavaVersion("11");
+ // Java 9+ default should have the GCM suites first
+ assertTrue(cipherSuites[0].contains("GCM"));
+ }
+
+ @Test
+ public void testGetDefaultCipherSuitesUnknownVersion() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ String[] cipherSuites = X509Util.getDefaultCipherSuitesForJavaVersion("notaversion");
+ // If version can't be parsed, use the more conservative Java 8 default
+ assertTrue(cipherSuites[0].contains("CBC"));
+ }
+
+ @Test
+ public void testGetDefaultCipherSuitesNullVersion() throws Exception {
+ init(caKeyType, certKeyType, keyPassword, paramIndex);
+ assertThrows(NullPointerException.class, () -> {
+ X509Util.getDefaultCipherSuitesForJavaVersion(null);
+ });
+ }
+}
diff --git a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509KeyType.java b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509KeyType.java
new file mode 100644
index 000000000000..1d5c042f04a6
--- /dev/null
+++ b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509KeyType.java
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.io.crypto.tls;
+
+/**
+ * Represents a type of key pair used for X509 certs in tests. The two options are RSA or EC
+ * (elliptic curve).
+ *
+ * This file has been copied from the Apache ZooKeeper project.
+ * @see Base
+ * revision
+ */
+public enum X509KeyType {
+ RSA,
+ EC
+}
diff --git a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContext.java b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContext.java
new file mode 100644
index 000000000000..3eee7e64f766
--- /dev/null
+++ b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestContext.java
@@ -0,0 +1,422 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.io.crypto.tls;
+
+import static java.util.Objects.requireNonNull;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.lang.invoke.MethodHandles;
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.security.Security;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import org.apache.commons.io.FileUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hbase.HBaseConfiguration;
+import org.apache.yetus.audience.InterfaceAudience;
+import org.bouncycastle.asn1.x500.X500NameBuilder;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.OperatorCreationException;
+
+/**
+ * This class simplifies the creation of certificates and private keys for SSL/TLS connections.
+ *
+ * This file has been copied from the Apache ZooKeeper project.
+ * @see Base
+ * revision
+ */
+@InterfaceAudience.Private
+public final class X509TestContext {
+
+ private static final String TRUST_STORE_PREFIX = "hbase_test_ca";
+ private static final String KEY_STORE_PREFIX = "hbase_test_key";
+
+ private final File tempDir;
+ private final Configuration hbaseConf = HBaseConfiguration.create();
+
+ private final X509Certificate trustStoreCertificate;
+ private final String trustStorePassword;
+ private File trustStoreJksFile;
+ private File trustStorePemFile;
+ private File trustStorePkcs12File;
+
+ private final KeyPair keyStoreKeyPair;
+ private final X509Certificate keyStoreCertificate;
+ private final String keyStorePassword;
+ private File keyStoreJksFile;
+ private File keyStorePemFile;
+ private File keyStorePkcs12File;
+
+ /**
+ * Constructor is intentionally private, use the Builder class instead.
+ * @param tempDir the directory in which key store and trust store temp files will be
+ * written.
+ * @param trustStoreKeyPair the key pair for the trust store.
+ * @param trustStorePassword the password to protect a JKS trust store (ignored for PEM trust
+ * stores).
+ * @param keyStoreKeyPair the key pair for the key store.
+ * @param keyStorePassword the password to protect the key store private key.
+ */
+ private X509TestContext(File tempDir, KeyPair trustStoreKeyPair, String trustStorePassword,
+ KeyPair keyStoreKeyPair, String keyStorePassword)
+ throws IOException, GeneralSecurityException, OperatorCreationException {
+ if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
+ throw new IllegalStateException("BC Security provider was not found");
+ }
+ this.tempDir = requireNonNull(tempDir);
+ if (!tempDir.isDirectory()) {
+ throw new IllegalArgumentException("Not a directory: " + tempDir);
+ }
+ this.trustStorePassword = requireNonNull(trustStorePassword);
+ this.keyStoreKeyPair = requireNonNull(keyStoreKeyPair);
+ this.keyStorePassword = requireNonNull(keyStorePassword);
+
+ X500NameBuilder caNameBuilder = new X500NameBuilder(BCStyle.INSTANCE);
+ caNameBuilder.addRDN(BCStyle.CN,
+ MethodHandles.lookup().lookupClass().getCanonicalName() + " Root CA");
+ trustStoreCertificate =
+ X509TestHelpers.newSelfSignedCACert(caNameBuilder.build(), trustStoreKeyPair);
+
+ X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE);
+ nameBuilder.addRDN(BCStyle.CN,
+ MethodHandles.lookup().lookupClass().getCanonicalName() + " Zookeeper Test");
+ keyStoreCertificate = X509TestHelpers.newCert(trustStoreCertificate, trustStoreKeyPair,
+ nameBuilder.build(), keyStoreKeyPair.getPublic());
+ trustStorePkcs12File = null;
+ trustStorePemFile = null;
+ trustStoreJksFile = null;
+ keyStorePkcs12File = null;
+ keyStorePemFile = null;
+ keyStoreJksFile = null;
+ }
+
+ public File getTempDir() {
+ return tempDir;
+ }
+
+ public String getTrustStorePassword() {
+ return trustStorePassword;
+ }
+
+ /**
+ * Returns the path to the trust store file in the given format (JKS or PEM). Note that the file
+ * is created lazily, the first time this method is called. The trust store file is temporary and
+ * will be deleted on exit.
+ * @param storeFileType the store file type (JKS or PEM).
+ * @return the path to the trust store file.
+ * @throws IOException if there is an error creating the trust store file.
+ */
+ public File getTrustStoreFile(KeyStoreFileType storeFileType) throws IOException {
+ switch (storeFileType) {
+ case JKS:
+ return getTrustStoreJksFile();
+ case PEM:
+ return getTrustStorePemFile();
+ case PKCS12:
+ return getTrustStorePkcs12File();
+ default:
+ throw new IllegalArgumentException("Invalid trust store type: " + storeFileType
+ + ", must be one of: " + Arrays.toString(KeyStoreFileType.values()));
+ }
+ }
+
+ private File getTrustStoreJksFile() throws IOException {
+ if (trustStoreJksFile == null) {
+ File trustStoreJksFile = File.createTempFile(TRUST_STORE_PREFIX,
+ KeyStoreFileType.JKS.getDefaultFileExtension(), tempDir);
+ trustStoreJksFile.deleteOnExit();
+ try (
+ final FileOutputStream trustStoreOutputStream = new FileOutputStream(trustStoreJksFile)) {
+ byte[] bytes =
+ X509TestHelpers.certToJavaTrustStoreBytes(trustStoreCertificate, trustStorePassword);
+ trustStoreOutputStream.write(bytes);
+ trustStoreOutputStream.flush();
+ } catch (GeneralSecurityException e) {
+ throw new IOException(e);
+ }
+ this.trustStoreJksFile = trustStoreJksFile;
+ }
+ return trustStoreJksFile;
+ }
+
+ private File getTrustStorePemFile() throws IOException {
+ if (trustStorePemFile == null) {
+ File trustStorePemFile = File.createTempFile(TRUST_STORE_PREFIX,
+ KeyStoreFileType.PEM.getDefaultFileExtension(), tempDir);
+ trustStorePemFile.deleteOnExit();
+ FileUtils.writeStringToFile(trustStorePemFile,
+ X509TestHelpers.pemEncodeX509Certificate(trustStoreCertificate), StandardCharsets.US_ASCII,
+ false);
+ this.trustStorePemFile = trustStorePemFile;
+ }
+ return trustStorePemFile;
+ }
+
+ private File getTrustStorePkcs12File() throws IOException {
+ if (trustStorePkcs12File == null) {
+ File trustStorePkcs12File = File.createTempFile(TRUST_STORE_PREFIX,
+ KeyStoreFileType.PKCS12.getDefaultFileExtension(), tempDir);
+ trustStorePkcs12File.deleteOnExit();
+ try (final FileOutputStream trustStoreOutputStream =
+ new FileOutputStream(trustStorePkcs12File)) {
+ byte[] bytes =
+ X509TestHelpers.certToPKCS12TrustStoreBytes(trustStoreCertificate, trustStorePassword);
+ trustStoreOutputStream.write(bytes);
+ trustStoreOutputStream.flush();
+ } catch (GeneralSecurityException e) {
+ throw new IOException(e);
+ }
+ this.trustStorePkcs12File = trustStorePkcs12File;
+ }
+ return trustStorePkcs12File;
+ }
+
+ public X509Certificate getKeyStoreCertificate() {
+ return keyStoreCertificate;
+ }
+
+ public String getKeyStorePassword() {
+ return keyStorePassword;
+ }
+
+ public boolean isKeyStoreEncrypted() {
+ return keyStorePassword.length() > 0;
+ }
+
+ public Configuration getHbaseConf() {
+ return hbaseConf;
+ }
+
+ /**
+ * Returns the path to the key store file in the given format (JKS, PEM, ...). Note that the file
+ * is created lazily, the first time this method is called. The key store file is temporary and
+ * will be deleted on exit.
+ * @param storeFileType the store file type (JKS, PEM, ...).
+ * @return the path to the key store file.
+ * @throws IOException if there is an error creating the key store file.
+ */
+ public File getKeyStoreFile(KeyStoreFileType storeFileType) throws IOException {
+ switch (storeFileType) {
+ case JKS:
+ return getKeyStoreJksFile();
+ case PEM:
+ return getKeyStorePemFile();
+ case PKCS12:
+ return getKeyStorePkcs12File();
+ default:
+ throw new IllegalArgumentException("Invalid key store type: " + storeFileType
+ + ", must be one of: " + Arrays.toString(KeyStoreFileType.values()));
+ }
+ }
+
+ private File getKeyStoreJksFile() throws IOException {
+ if (keyStoreJksFile == null) {
+ File keyStoreJksFile = File.createTempFile(KEY_STORE_PREFIX,
+ KeyStoreFileType.JKS.getDefaultFileExtension(), tempDir);
+ keyStoreJksFile.deleteOnExit();
+ try (final FileOutputStream keyStoreOutputStream = new FileOutputStream(keyStoreJksFile)) {
+ byte[] bytes = X509TestHelpers.certAndPrivateKeyToJavaKeyStoreBytes(keyStoreCertificate,
+ keyStoreKeyPair.getPrivate(), keyStorePassword);
+ keyStoreOutputStream.write(bytes);
+ keyStoreOutputStream.flush();
+ } catch (GeneralSecurityException e) {
+ throw new IOException(e);
+ }
+ this.keyStoreJksFile = keyStoreJksFile;
+ }
+ return keyStoreJksFile;
+ }
+
+ private File getKeyStorePemFile() throws IOException {
+ if (keyStorePemFile == null) {
+ try {
+ File keyStorePemFile = File.createTempFile(KEY_STORE_PREFIX,
+ KeyStoreFileType.PEM.getDefaultFileExtension(), tempDir);
+ keyStorePemFile.deleteOnExit();
+ FileUtils.writeStringToFile(keyStorePemFile,
+ X509TestHelpers.pemEncodeCertAndPrivateKey(keyStoreCertificate,
+ keyStoreKeyPair.getPrivate(), keyStorePassword),
+ StandardCharsets.US_ASCII, false);
+ this.keyStorePemFile = keyStorePemFile;
+ } catch (OperatorCreationException e) {
+ throw new IOException(e);
+ }
+ }
+ return keyStorePemFile;
+ }
+
+ private File getKeyStorePkcs12File() throws IOException {
+ if (keyStorePkcs12File == null) {
+ File keyStorePkcs12File = File.createTempFile(KEY_STORE_PREFIX,
+ KeyStoreFileType.PKCS12.getDefaultFileExtension(), tempDir);
+ keyStorePkcs12File.deleteOnExit();
+ try (final FileOutputStream keyStoreOutputStream = new FileOutputStream(keyStorePkcs12File)) {
+ byte[] bytes = X509TestHelpers.certAndPrivateKeyToPKCS12Bytes(keyStoreCertificate,
+ keyStoreKeyPair.getPrivate(), keyStorePassword);
+ keyStoreOutputStream.write(bytes);
+ keyStoreOutputStream.flush();
+ } catch (GeneralSecurityException e) {
+ throw new IOException(e);
+ }
+ this.keyStorePkcs12File = keyStorePkcs12File;
+ }
+ return keyStorePkcs12File;
+ }
+
+ /**
+ * Sets the SSL system properties such that the given X509Util object can be used to create SSL
+ * Contexts that will use the trust store and key store files created by this test context.
+ * Example usage:
+ *
+ *
+ * X509TestContext testContext = ...; // create the test context
+ * X509Util x509Util = new QuorumX509Util();
+ * testContext.setSystemProperties(x509Util, KeyStoreFileType.JKS, KeyStoreFileType.JKS);
+ * // The returned context will use the key store and trust store created by the test context.
+ * SSLContext ctx = x509Util.getDefaultSSLContext();
+ *
+ *
+ * @param keyStoreFileType the store file type to use for the key store (JKS, PEM, ...).
+ * @param trustStoreFileType the store file type to use for the trust store (JKS, PEM, ...).
+ * @throws IOException if there is an error creating the key store file or trust store file.
+ */
+ public void setSystemProperties(KeyStoreFileType keyStoreFileType,
+ KeyStoreFileType trustStoreFileType) throws IOException {
+ hbaseConf.set(X509Util.TLS_CONFIG_KEYSTORE_LOCATION,
+ this.getKeyStoreFile(keyStoreFileType).getAbsolutePath());
+ hbaseConf.set(X509Util.TLS_CONFIG_KEYSTORE_PASSWORD, this.getKeyStorePassword());
+ hbaseConf.set(X509Util.TLS_CONFIG_KEYSTORE_TYPE, keyStoreFileType.getPropertyValue());
+ hbaseConf.set(X509Util.TLS_CONFIG_TRUSTSTORE_LOCATION,
+ this.getTrustStoreFile(trustStoreFileType).getAbsolutePath());
+ hbaseConf.set(X509Util.TLS_CONFIG_TRUSTSTORE_PASSWORD, this.getTrustStorePassword());
+ hbaseConf.set(X509Util.TLS_CONFIG_TRUSTSTORE_TYPE, trustStoreFileType.getPropertyValue());
+ }
+
+ public void clearSystemProperties() {
+ hbaseConf.unset(X509Util.TLS_CONFIG_KEYSTORE_LOCATION);
+ hbaseConf.unset(X509Util.TLS_CONFIG_KEYSTORE_PASSWORD);
+ hbaseConf.unset(X509Util.TLS_CONFIG_KEYSTORE_TYPE);
+ hbaseConf.unset(X509Util.TLS_CONFIG_TRUSTSTORE_LOCATION);
+ hbaseConf.unset(X509Util.TLS_CONFIG_TRUSTSTORE_PASSWORD);
+ hbaseConf.unset(X509Util.TLS_CONFIG_TRUSTSTORE_TYPE);
+ }
+
+ /**
+ * Builder class, used for creating new instances of X509TestContext.
+ */
+ public static class Builder {
+
+ private File tempDir;
+ private X509KeyType trustStoreKeyType;
+ private String trustStorePassword;
+ private X509KeyType keyStoreKeyType;
+ private String keyStorePassword;
+
+ /**
+ * Creates an empty builder.
+ */
+ public Builder() {
+ trustStoreKeyType = X509KeyType.EC;
+ trustStorePassword = "";
+ keyStoreKeyType = X509KeyType.EC;
+ keyStorePassword = "";
+ }
+
+ /**
+ * Builds a new X509TestContext from this builder.
+ * @return a new X509TestContext
+ */
+ public X509TestContext build()
+ throws IOException, GeneralSecurityException, OperatorCreationException {
+ KeyPair trustStoreKeyPair = X509TestHelpers.generateKeyPair(trustStoreKeyType);
+ KeyPair keyStoreKeyPair = X509TestHelpers.generateKeyPair(keyStoreKeyType);
+ return new X509TestContext(tempDir, trustStoreKeyPair, trustStorePassword, keyStoreKeyPair,
+ keyStorePassword);
+ }
+
+ /**
+ * Sets the temporary directory. Certificate and private key files will be created in this
+ * directory.
+ * @param tempDir the temp directory.
+ * @return this Builder.
+ */
+ public Builder setTempDir(File tempDir) {
+ this.tempDir = tempDir;
+ return this;
+ }
+
+ /**
+ * Sets the trust store key type. The CA key generated for the test context will be of this
+ * type.
+ * @param keyType the key type.
+ * @return this Builder.
+ */
+ public Builder setTrustStoreKeyType(X509KeyType keyType) {
+ trustStoreKeyType = keyType;
+ return this;
+ }
+
+ /**
+ * Sets the trust store password. Ignored for PEM trust stores, JKS trust stores will be
+ * encrypted with this password.
+ * @param password the password.
+ * @return this Builder.
+ */
+ public Builder setTrustStorePassword(String password) {
+ trustStorePassword = password;
+ return this;
+ }
+
+ /**
+ * Sets the key store key type. The private key generated for the test context will be of this
+ * type.
+ * @param keyType the key type.
+ * @return this Builder.
+ */
+ public Builder setKeyStoreKeyType(X509KeyType keyType) {
+ keyStoreKeyType = keyType;
+ return this;
+ }
+
+ /**
+ * Sets the key store password. The private key (PEM, JKS) and certificate (JKS only) will be
+ * encrypted with this password.
+ * @param password the password.
+ * @return this Builder.
+ */
+ public Builder setKeyStorePassword(String password) {
+ keyStorePassword = password;
+ return this;
+ }
+ }
+
+ /**
+ * Returns a new default-constructed Builder.
+ * @return a new Builder.
+ */
+ public static Builder newBuilder() {
+ return new Builder();
+ }
+
+}
diff --git a/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestHelpers.java b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestHelpers.java
new file mode 100644
index 000000000000..869c4633005c
--- /dev/null
+++ b/hbase-common/src/test/java/org/apache/hadoop/hbase/io/crypto/tls/X509TestHelpers.java
@@ -0,0 +1,419 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.io.crypto.tls;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.StringWriter;
+import java.math.BigInteger;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.SecureRandom;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.spec.ECGenParameterSpec;
+import java.security.spec.RSAKeyGenParameterSpec;
+import java.time.LocalDate;
+import java.time.ZoneId;
+import org.apache.yetus.audience.InterfaceAudience;
+import org.bouncycastle.asn1.DERIA5String;
+import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x509.BasicConstraints;
+import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.KeyPurposeId;
+import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
+import org.bouncycastle.crypto.util.PrivateKeyFactory;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
+import org.bouncycastle.openssl.jcajce.JcaPKCS8Generator;
+import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8EncryptorBuilder;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
+import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.OutputEncryptor;
+import org.bouncycastle.operator.bc.BcContentSignerBuilder;
+import org.bouncycastle.operator.bc.BcECContentSignerBuilder;
+import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
+
+/**
+ * This class contains helper methods for creating X509 certificates and key pairs, and for
+ * serializing them to JKS, PEM or other keystore type files.
+ *
+ * This file has been copied from the Apache ZooKeeper project.
+ * @see Base
+ * revision
+ */
+@InterfaceAudience.Private
+final class X509TestHelpers {
+
+ private static final SecureRandom PRNG = new SecureRandom();
+ private static final int DEFAULT_RSA_KEY_SIZE_BITS = 2048;
+ private static final BigInteger DEFAULT_RSA_PUB_EXPONENT = RSAKeyGenParameterSpec.F4; // 65537
+ private static final String DEFAULT_ELLIPTIC_CURVE_NAME = "secp256r1";
+ // Per RFC 5280 section 4.1.2.2, X509 certificates can use up to 20 bytes == 160 bits for serial
+ // numbers.
+ private static final int SERIAL_NUMBER_MAX_BITS = 20 * Byte.SIZE;
+
+ /**
+ * Uses the private key of the given key pair to create a self-signed CA certificate with the
+ * public half of the key pair and the given subject and expiration. The issuer of the new cert
+ * will be equal to the subject. Returns the new certificate. The returned certificate should be
+ * used as the trust store. The private key of the input key pair should be used to sign
+ * certificates that are used by test peers to establish TLS connections to each other.
+ * @param subject the subject of the new certificate being created.
+ * @param keyPair the key pair to use. The public key will be embedded in the new certificate, and
+ * the private key will be used to self-sign the certificate.
+ * @return a new self-signed CA certificate.
+ */
+ public static X509Certificate newSelfSignedCACert(X500Name subject, KeyPair keyPair)
+ throws IOException, OperatorCreationException, GeneralSecurityException {
+ LocalDate now = LocalDate.now(ZoneId.of("America/Los_Angeles"));
+ X509v3CertificateBuilder builder = initCertBuilder(subject, // for self-signed certs,
+ // issuer == subject
+ now, now.plusDays(1), subject, keyPair.getPublic());
+ builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); // is a CA
+ builder.addExtension(Extension.keyUsage, true,
+ new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign));
+ return buildAndSignCertificate(keyPair.getPrivate(), builder);
+ }
+
+ /**
+ * Using the private key of the given CA key pair and the Subject of the given CA cert as the
+ * Issuer, issues a new cert with the given subject and public key. The returned certificate,
+ * combined with the private key half of the certPublicKey, should be used as the key
+ * store.
+ * @param caCert the certificate of the CA that's doing the signing.
+ * @param caKeyPair the key pair of the CA. The private key will be used to sign. The public
+ * key must match the public key in the caCert.
+ * @param certSubject the subject field of the new cert being issued.
+ * @param certPublicKey the public key of the new cert being issued.
+ * @return a new certificate signed by the CA's private key.
+ */
+ public static X509Certificate newCert(X509Certificate caCert, KeyPair caKeyPair,
+ X500Name certSubject, PublicKey certPublicKey)
+ throws IOException, OperatorCreationException, GeneralSecurityException {
+ if (!caKeyPair.getPublic().equals(caCert.getPublicKey())) {
+ throw new IllegalArgumentException(
+ "CA private key does not match the public key in " + "the CA cert");
+ }
+ LocalDate now = LocalDate.now(ZoneId.of("America/Los_Angeles"));
+ X509v3CertificateBuilder builder = initCertBuilder(new X500Name(caCert.getIssuerDN().getName()),
+ now, now.plusDays(1), certSubject, certPublicKey);
+ builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); // not a CA
+ builder.addExtension(Extension.keyUsage, true,
+ new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
+ builder.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(
+ new KeyPurposeId[] { KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth }));
+
+ builder.addExtension(Extension.subjectAlternativeName, false, getLocalhostSubjectAltNames());
+ return buildAndSignCertificate(caKeyPair.getPrivate(), builder);
+ }
+
+ /**
+ * Returns subject alternative names for "localhost".
+ * @return the subject alternative names for "localhost".
+ */
+ private static GeneralNames getLocalhostSubjectAltNames() throws UnknownHostException {
+ InetAddress[] localAddresses = InetAddress.getAllByName("localhost");
+ GeneralName[] generalNames = new GeneralName[localAddresses.length + 1];
+ for (int i = 0; i < localAddresses.length; i++) {
+ generalNames[i] =
+ new GeneralName(GeneralName.iPAddress, new DEROctetString(localAddresses[i].getAddress()));
+ }
+ generalNames[generalNames.length - 1] =
+ new GeneralName(GeneralName.dNSName, new DERIA5String("localhost"));
+ return new GeneralNames(generalNames);
+ }
+
+ /**
+ * Helper method for newSelfSignedCACert() and newCert(). Initializes a X509v3CertificateBuilder
+ * with logic that's common to both methods.
+ * @param issuer Issuer field of the new cert.
+ * @param notBefore date before which the new cert is not valid.
+ * @param notAfter date after which the new cert is not valid.
+ * @param subject Subject field of the new cert.
+ * @param subjectPublicKey public key to store in the new cert.
+ * @return a X509v3CertificateBuilder that can be further customized to finish creating the new
+ * cert.
+ */
+ private static X509v3CertificateBuilder initCertBuilder(X500Name issuer, LocalDate notBefore,
+ LocalDate notAfter, X500Name subject, PublicKey subjectPublicKey) {
+ return new X509v3CertificateBuilder(issuer, new BigInteger(SERIAL_NUMBER_MAX_BITS, PRNG),
+ java.sql.Date.valueOf(notBefore), java.sql.Date.valueOf(notAfter), subject,
+ SubjectPublicKeyInfo.getInstance(subjectPublicKey.getEncoded()));
+ }
+
+ /**
+ * Signs the certificate being built by the given builder using the given private key and returns
+ * the certificate.
+ * @param privateKey the private key to sign the certificate with.
+ * @param builder the cert builder that contains the certificate data.
+ * @return the signed certificate.
+ */
+ private static X509Certificate buildAndSignCertificate(PrivateKey privateKey,
+ X509v3CertificateBuilder builder)
+ throws IOException, OperatorCreationException, CertificateException {
+ BcContentSignerBuilder signerBuilder;
+ if (privateKey.getAlgorithm().contains("RSA")) { // a little hacky way to detect key type, but
+ // it works
+ AlgorithmIdentifier signatureAlgorithm =
+ new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256WithRSAEncryption");
+ AlgorithmIdentifier digestAlgorithm =
+ new DefaultDigestAlgorithmIdentifierFinder().find(signatureAlgorithm);
+ signerBuilder = new BcRSAContentSignerBuilder(signatureAlgorithm, digestAlgorithm);
+ } else { // if not RSA, assume EC
+ AlgorithmIdentifier signatureAlgorithm =
+ new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256withECDSA");
+ AlgorithmIdentifier digestAlgorithm =
+ new DefaultDigestAlgorithmIdentifierFinder().find(signatureAlgorithm);
+ signerBuilder = new BcECContentSignerBuilder(signatureAlgorithm, digestAlgorithm);
+ }
+ AsymmetricKeyParameter privateKeyParam = PrivateKeyFactory.createKey(privateKey.getEncoded());
+ ContentSigner signer = signerBuilder.build(privateKeyParam);
+ return toX509Cert(builder.build(signer));
+ }
+
+ /**
+ * Generates a new asymmetric key pair of the given type.
+ * @param keyType the type of key pair to generate.
+ * @return the new key pair.
+ * @throws GeneralSecurityException if your java crypto providers are messed up.
+ */
+ public static KeyPair generateKeyPair(X509KeyType keyType) throws GeneralSecurityException {
+ switch (keyType) {
+ case RSA:
+ return generateRSAKeyPair();
+ case EC:
+ return generateECKeyPair();
+ default:
+ throw new IllegalArgumentException("Invalid X509KeyType");
+ }
+ }
+
+ /**
+ * Generates an RSA key pair with a 2048-bit private key and F4 (65537) as the public exponent.
+ * @return the key pair.
+ */
+ public static KeyPair generateRSAKeyPair() throws GeneralSecurityException {
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+ RSAKeyGenParameterSpec keyGenSpec =
+ new RSAKeyGenParameterSpec(DEFAULT_RSA_KEY_SIZE_BITS, DEFAULT_RSA_PUB_EXPONENT);
+ keyGen.initialize(keyGenSpec, PRNG);
+ return keyGen.generateKeyPair();
+ }
+
+ /**
+ * Generates an elliptic curve key pair using the "secp256r1" aka "prime256v1" aka "NIST P-256"
+ * curve.
+ * @return the key pair.
+ */
+ public static KeyPair generateECKeyPair() throws GeneralSecurityException {
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
+ keyGen.initialize(new ECGenParameterSpec(DEFAULT_ELLIPTIC_CURVE_NAME), PRNG);
+ return keyGen.generateKeyPair();
+ }
+
+ /**
+ * PEM-encodes the given X509 certificate and private key (compatible with OpenSSL), optionally
+ * protecting the private key with a password. Concatenates them both and returns the result as a
+ * single string. This creates the PEM encoding of a key store.
+ * @param cert the X509 certificate to PEM-encode.
+ * @param privateKey the private key to PEM-encode.
+ * @param keyPassword an optional key password. If empty or null, the private key will not be
+ * encrypted.
+ * @return a String containing the PEM encodings of the certificate and private key.
+ * @throws IOException if converting the certificate or private key to PEM format
+ * fails.
+ * @throws OperatorCreationException if constructing the encryptor from the given password fails.
+ */
+ public static String pemEncodeCertAndPrivateKey(X509Certificate cert, PrivateKey privateKey,
+ String keyPassword) throws IOException, OperatorCreationException {
+ return pemEncodeX509Certificate(cert) + "\n" + pemEncodePrivateKey(privateKey, keyPassword);
+ }
+
+ /**
+ * PEM-encodes the given private key (compatible with OpenSSL), optionally protecting it with a
+ * password, and returns the result as a String.
+ * @param key the private key.
+ * @param password an optional key password. If empty or null, the private key will not be
+ * encrypted.
+ * @return a String containing the PEM encoding of the private key.
+ * @throws IOException if converting the key to PEM format fails.
+ * @throws OperatorCreationException if constructing the encryptor from the given password fails.
+ */
+ public static String pemEncodePrivateKey(PrivateKey key, String password)
+ throws IOException, OperatorCreationException {
+ StringWriter stringWriter = new StringWriter();
+ JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter);
+ OutputEncryptor encryptor = null;
+ if (password != null && password.length() > 0) {
+ encryptor =
+ new JceOpenSSLPKCS8EncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd3_KeyTripleDES_CBC)
+ .setProvider(BouncyCastleProvider.PROVIDER_NAME).setRandom(PRNG)
+ .setPasssword(password.toCharArray()).build();
+ }
+ pemWriter.writeObject(new JcaPKCS8Generator(key, encryptor));
+ pemWriter.close();
+ return stringWriter.toString();
+ }
+
+ /**
+ * PEM-encodes the given X509 certificate (compatible with OpenSSL) and returns the result as a
+ * String.
+ * @param cert the certificate.
+ * @return a String containing the PEM encoding of the certificate.
+ * @throws IOException if converting the certificate to PEM format fails.
+ */
+ public static String pemEncodeX509Certificate(X509Certificate cert) throws IOException {
+ StringWriter stringWriter = new StringWriter();
+ JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter);
+ pemWriter.writeObject(cert);
+ pemWriter.close();
+ return stringWriter.toString();
+ }
+
+ /**
+ * Encodes the given X509Certificate as a JKS TrustStore, optionally protecting the cert with a
+ * password (though it's unclear why one would do this since certificates only contain public
+ * information and do not need to be kept secret). Returns the byte array encoding of the trust
+ * store, which may be written to a file and loaded to instantiate the trust store at a later
+ * point or in another process.
+ * @param cert the certificate to serialize.
+ * @param keyPassword an optional password to encrypt the trust store. If empty or null, the cert
+ * will not be encrypted.
+ * @return the serialized bytes of the JKS trust store.
+ */
+ public static byte[] certToJavaTrustStoreBytes(X509Certificate cert, String keyPassword)
+ throws IOException, GeneralSecurityException {
+ KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ return certToTrustStoreBytes(cert, keyPassword, trustStore);
+ }
+
+ /**
+ * Encodes the given X509Certificate as a PKCS12 TrustStore, optionally protecting the cert with a
+ * password (though it's unclear why one would do this since certificates only contain public
+ * information and do not need to be kept secret). Returns the byte array encoding of the trust
+ * store, which may be written to a file and loaded to instantiate the trust store at a later
+ * point or in another process.
+ * @param cert the certificate to serialize.
+ * @param keyPassword an optional password to encrypt the trust store. If empty or null, the cert
+ * will not be encrypted.
+ * @return the serialized bytes of the PKCS12 trust store.
+ */
+ public static byte[] certToPKCS12TrustStoreBytes(X509Certificate cert, String keyPassword)
+ throws IOException, GeneralSecurityException {
+ KeyStore trustStore = KeyStore.getInstance("PKCS12");
+ return certToTrustStoreBytes(cert, keyPassword, trustStore);
+ }
+
+ private static byte[] certToTrustStoreBytes(X509Certificate cert, String keyPassword,
+ KeyStore trustStore) throws IOException, GeneralSecurityException {
+ char[] keyPasswordChars = keyPassword == null ? new char[0] : keyPassword.toCharArray();
+ trustStore.load(null, keyPasswordChars);
+ trustStore.setCertificateEntry(cert.getSubjectDN().toString(), cert);
+ ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+ trustStore.store(outputStream, keyPasswordChars);
+ outputStream.flush();
+ byte[] result = outputStream.toByteArray();
+ outputStream.close();
+ return result;
+ }
+
+ /**
+ * Encodes the given X509Certificate and private key as a JKS KeyStore, optionally protecting the
+ * private key (and possibly the cert?) with a password. Returns the byte array encoding of the
+ * key store, which may be written to a file and loaded to instantiate the key store at a later
+ * point or in another process.
+ * @param cert the X509 certificate to serialize.
+ * @param privateKey the private key to serialize.
+ * @param keyPassword an optional key password. If empty or null, the private key will not be
+ * encrypted.
+ * @return the serialized bytes of the JKS key store.
+ */
+ public static byte[] certAndPrivateKeyToJavaKeyStoreBytes(X509Certificate cert,
+ PrivateKey privateKey, String keyPassword) throws IOException, GeneralSecurityException {
+ KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ return certAndPrivateKeyToBytes(cert, privateKey, keyPassword, keyStore);
+ }
+
+ /**
+ * Encodes the given X509Certificate and private key as a PKCS12 KeyStore, optionally protecting
+ * the private key (and possibly the cert?) with a password. Returns the byte array encoding of
+ * the key store, which may be written to a file and loaded to instantiate the key store at a
+ * later point or in another process.
+ * @param cert the X509 certificate to serialize.
+ * @param privateKey the private key to serialize.
+ * @param keyPassword an optional key password. If empty or null, the private key will not be
+ * encrypted.
+ * @return the serialized bytes of the PKCS12 key store.
+ */
+ public static byte[] certAndPrivateKeyToPKCS12Bytes(X509Certificate cert, PrivateKey privateKey,
+ String keyPassword) throws IOException, GeneralSecurityException {
+ KeyStore keyStore = KeyStore.getInstance("PKCS12");
+ return certAndPrivateKeyToBytes(cert, privateKey, keyPassword, keyStore);
+ }
+
+ private static byte[] certAndPrivateKeyToBytes(X509Certificate cert, PrivateKey privateKey,
+ String keyPassword, KeyStore keyStore) throws IOException, GeneralSecurityException {
+ char[] keyPasswordChars = keyPassword == null ? new char[0] : keyPassword.toCharArray();
+ keyStore.load(null, keyPasswordChars);
+ keyStore.setKeyEntry("key", privateKey, keyPasswordChars, new Certificate[] { cert });
+ ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
+ keyStore.store(outputStream, keyPasswordChars);
+ outputStream.flush();
+ byte[] result = outputStream.toByteArray();
+ outputStream.close();
+ return result;
+ }
+
+ /**
+ * Convenience method to convert a bouncycastle X509CertificateHolder to a java X509Certificate.
+ * @param certHolder a bouncycastle X509CertificateHolder.
+ * @return a java X509Certificate
+ * @throws CertificateException if the conversion fails.
+ */
+ public static X509Certificate toX509Cert(X509CertificateHolder certHolder)
+ throws CertificateException {
+ return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME)
+ .getCertificate(certHolder);
+ }
+
+ private X509TestHelpers() {
+ // empty
+ }
+}
diff --git a/hbase-server/pom.xml b/hbase-server/pom.xml
index f9e52983af5c..f00fba295e2a 100644
--- a/hbase-server/pom.xml
+++ b/hbase-server/pom.xml
@@ -339,6 +339,16 @@
log4j-1.2-api
test
+
+ org.bouncycastle
+ bcprov-jdk15on
+ test
+
+
+ org.bouncycastle
+ bcpkix-jdk15on
+ test
+